[FFmpeg-devel] question about submitting security patches

[FFmpeg-devel] question about submitting security patches

[Thomas Dullien via ffmpeg-devel]

Hey all,

after the recent social media discussion around P0 reported bugs etc. I'd
like to
contribute a few patches for a few open crash bugs in the bugtracker (and
hopefully
for the remaining BIGSLEEP bug reports, too).

I am using a coding assistant combined with a stack of ASAN + rr, and while
I am not
an export on ffmpeg, I am some sort of expert on vulnerabilities.

I have prepared AI-assisted patches for https://trac.ffmpeg.org/ticket/11693
and
https://trac.ffmpeg.org/ticket/11691, and I'll review them some more but
both the
root-cause analysis and the patch seem good.

What's the best way to submit these patches? There is the bug tracker,
there is this
mailing list - what's the best way to contribute them?

Cheers,
Thomas
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Rémi Denis-Courmont via ffmpeg-devel]

Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas 
Dullien via ffmpeg-devel a écrit :
> What's the best way to submit these patches? There is the bug tracker,
> there is this mailing list - what's the best way to contribute them?

I don't think that DNN-generated patches are compatible with the LGPL in the 
first place, or it is at best very uncertain that they are. So then you cannot 
contribute DNN-generated patches in any useful way at all.

-- 
Rémi Denis-Courmont
https://www.remlab.net/



_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Thomas Dullien via ffmpeg-devel]

Hey there,


I've ended up creating a PR and made sure the patch code itself is
human-written, hence untainted - LLMs are just used in the crash triage and
analysis.

Thanks for the reply!

One (open) question: is generating commit messages by an LLM permissible,
or is that something that should also be done by human hand?

Cheers,
Thomas

On Mon, Nov 10, 2025, 5:04 PM Rémi Denis-Courmont via ffmpeg-devel <
ffmpeg-devel@ffmpeg.org> wrote:

> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
> Thomas
> Dullien via ffmpeg-devel a écrit :
> > What's the best way to submit these patches? There is the bug tracker,
> > there is this mailing list - what's the best way to contribute them?
>
> I don't think that DNN-generated patches are compatible with the LGPL in
> the
> first place, or it is at best very uncertain that they are. So then you
> cannot
> contribute DNN-generated patches in any useful way at all.
>
> --
> Rémi Denis-Courmont
> https://www.remlab.net/
>
>
>
> _______________________________________________
> ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
> To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
>
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Michael Niedermayer via ffmpeg-devel]

[-- Attachment #1.1: Type: text/plain, Size: 940 bytes --]

Hi Remi

On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote:
> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas 
> Dullien via ffmpeg-devel a écrit :
> > What's the best way to submit these patches? There is the bug tracker,
> > there is this mailing list - what's the best way to contribute them?
> 
> I don't think that DNN-generated patches are compatible with the LGPL in the 
> first place, or it is at best very uncertain that they are. So then you cannot 
> contribute DNN-generated patches in any useful way at all.

If you have concrete legal analysis or case law that supports this claim, please share it.

thx
--
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 163 bytes --]

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Rémi Denis-Courmont via ffmpeg-devel]

Le 11 novembre 2025 04:59:42 GMT+02:00, Michael Niedermayer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org> a écrit :
>Hi Remi
>
>On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote:
>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas 
>> Dullien via ffmpeg-devel a écrit :
>> > What's the best way to submit these patches? There is the bug tracker,
>> > there is this mailing list - what's the best way to contribute them?
>> 
>> I don't think that DNN-generated patches are compatible with the LGPL in the 
>> first place, or it is at best very uncertain that they are. So then you cannot 
>> contribute DNN-generated patches in any useful way at all.
>
>If you have concrete legal analysis or case law that supports this claim, please share it.

You can check what LF, Fedora, QEMU, etc, and their lawyers already did on that front.
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Gyan Doshi via ffmpeg-devel]

On 2025-11-11 12:19 pm, Rémi Denis-Courmont via ffmpeg-devel wrote:
>
> Le 11 novembre 2025 04:59:42 GMT+02:00, Michael Niedermayer via ffmpeg-devel<ffmpeg-devel@ffmpeg.org>  a écrit :
>> Hi Remi
>>
>> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote:
>>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas
>>> Dullien via ffmpeg-devel a écrit :
>>>> What's the best way to submit these patches? There is the bug tracker,
>>>> there is this mailing list - what's the best way to contribute them?
>>> I don't think that DNN-generated patches are compatible with the LGPL in the
>>> first place, or it is at best very uncertain that they are. So then you cannot
>>> contribute DNN-generated patches in any useful way at all.
>> If you have concrete legal analysis or case law that supports this claim, please share it.
> You can check what LF, Fedora, QEMU, etc, and their lawyers already did on that front.

QEMU is the only one which forbids AI
https://github.com/qemu/qemu/commit/3d40db0efc

The others provide caveats but do provide a pathway for AI contributions.

The Linux Foundation says, "Code or other content generated in whole or 
in part using AI tools can be contributed to Linux Foundation projects.  
..."
https://www.linuxfoundation.org/legal/generative-ai

Fedora says, this, "You *MAY* use AI assistance for contributing to 
Fedora, as long as you follow the principles described below..."
https://docs.fedoraproject.org/en-US/council/policy/ai-contribution-policy/

Regards,
Gyan
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Kieran Kunhya via ffmpeg-devel]

On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, <
ffmpeg-devel@ffmpeg.org> wrote:

> Hi Remi
>
> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via
> ffmpeg-devel wrote:
> > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
> Thomas
> > Dullien via ffmpeg-devel a écrit :
> > > What's the best way to submit these patches? There is the bug tracker,
> > > there is this mailing list - what's the best way to contribute them?
> >
> > I don't think that DNN-generated patches are compatible with the LGPL in
> the
> > first place, or it is at best very uncertain that they are. So then you
> cannot
> > contribute DNN-generated patches in any useful way at all.
>
> If you have concrete legal analysis or case law that supports this claim,
> please share it.
>

If an LLM was trained on the leaked Microsoft Windows source code and it
used elements of that code when asked to write an FFmpeg patch, would that
patch be acceptable in your eyes?

Kieran

>
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Christophe Gisquet via ffmpeg-devel]

Hello,

Le mar. 11 nov. 2025 à 04:01, Michael Niedermayer via ffmpeg-devel
<ffmpeg-devel@ffmpeg.org> a écrit :
> If you have concrete legal analysis or case law that supports this claim, please share it.

I can name at least one Fortune 500 companies, that maybe won't
disclose publicly these facts, that did equivalent analysis and have
basically forbidden use of "AI"-generated code for distributed
software.
By way of consequence, if that matters to you, maybe these companies
would be very concerned that the ffmpeg project included such code.

Second, Gyan's Linux Foundation link is extremely telling:
1) You need to be able to identify whether the LLM output comes from
copyrighted code. ie, what it was trained on.
2) You need to report the portions affected, included with license
It's not making it forbidden, just impossible to abide by.

-- 
Christophe
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Thomas Dullien via ffmpeg-devel]

Hey all,

a quick note: As a person outside of the ffmpeg project that just happened
to contribute a patch,
here is my understanding of the legal situation:

1) Strictly speaking, "nobody knows" what the legalities of LLMs are going
to be. The big LLM providers are trying hard
to establish precedent(s) so that when the actual laws are adapted, they
will reflect current practice; therefore the LLM
providers try very hard to establish "as practice" what is beneficial to
themselves.
2) It is very instructive to look at the process that ended up with
software falling under copyright law. This is much more
recent than people think: The CONTU commission ran from 1974 to 1978, and
it wasn't until 1980 that the law that put
software firmly under the copyright regime we know today was passed. If you
love copyright law, you can find their
meeting notes online.
3) If you take a strict interpretation of the current copyright law, LLM
weights cannot be copyrighted (they are derived by
applying a formula to data, not a creative act); this hasn't stopped all
the LLM companies to attach license terms to their
releases, pretending as if copyright applied. The goal here is to establish
precedent so that in the future LLM weights
will be deemed copyrightable.
4) There are valid arguments that - if LLM weights are copyrightable - they
might be derived works of the training data,
and with it, the output would be tainted (by being similar to a song that
consists only of sampled music: There is some
input by the composer, but it remixes lots of other copyrighted material).
There are practical issues with this, but more
importantly, given the importance of the AI boom for US GDP currently,
there are strong economic incentives for this
interpretation to not gain traction.
5) So the current position that the LLM providers take is "our weights are
copyrightable (even when current law says it
isn't), but all your data we trained on is present in such miniscule
dilution that there's no taint" (even when current law
provides arguments it should be). Clearly this is primarily serving their
own interests, with the goal to establish law in
their favour.

Given that the future legal regime is entirely unclear, it is a valid
decision for each person (or group of persons) that
maintains code to either (a) take the side that the most likely outcome is
that LLM-generated output is taint-free, or
(b) take the side that the most likely outcome is that LLM-generated output
is tainted. This is less a statement about
today's laws, and more a statement about "which societal forces will be
stronger in shaping the consensus".

I'm completely impartial to what FFmpeg (as a project) decides - for the
moment, the patch is human-authored
anyhow, so it doesn't matter much for *this patch*.

That said, it would be helpful to know if commit messages can be authored
by AI if clearly labeled. If societal
consensus falls on the side of AI output being tainted, commit messages
*can* be removed automatically, albeit
at a cost of changing the hashes in the git commit history.

Cheers,
Thomas



Am Mi., 12. Nov. 2025 um 09:24 Uhr schrieb Christophe Gisquet via
ffmpeg-devel <ffmpeg-devel@ffmpeg.org>:

> Hello,
>
> Le mar. 11 nov. 2025 à 04:01, Michael Niedermayer via ffmpeg-devel
> <ffmpeg-devel@ffmpeg.org> a écrit :
> > If you have concrete legal analysis or case law that supports this
> claim, please share it.
>
> I can name at least one Fortune 500 companies, that maybe won't
> disclose publicly these facts, that did equivalent analysis and have
> basically forbidden use of "AI"-generated code for distributed
> software.
> By way of consequence, if that matters to you, maybe these companies
> would be very concerned that the ffmpeg project included such code.
>
> Second, Gyan's Linux Foundation link is extremely telling:
> 1) You need to be able to identify whether the LLM output comes from
> copyrighted code. ie, what it was trained on.
> 2) You need to report the portions affected, included with license
> It's not making it forbidden, just impossible to abide by.
>
> --
> Christophe
> _______________________________________________
> ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
> To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
>
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Michael Niedermayer via ffmpeg-devel]

[-- Attachment #1.1: Type: text/plain, Size: 1637 bytes --]

Hi Kieran

On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel wrote:
> On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, <
> ffmpeg-devel@ffmpeg.org> wrote:
> 
> > Hi Remi
> >
> > On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via
> > ffmpeg-devel wrote:
> > > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
> > Thomas
> > > Dullien via ffmpeg-devel a écrit :
> > > > What's the best way to submit these patches? There is the bug tracker,
> > > > there is this mailing list - what's the best way to contribute them?
> > >
> > > I don't think that DNN-generated patches are compatible with the LGPL in
> > the
> > > first place, or it is at best very uncertain that they are. So then you
> > cannot
> > > contribute DNN-generated patches in any useful way at all.
> >
> > If you have concrete legal analysis or case law that supports this claim,
> > please share it.
> >
> 
> If an LLM was trained on the leaked Microsoft Windows source code and it
> used elements of that code when asked to write an FFmpeg patch, would that
> patch be acceptable in your eyes?

If a human was trained on the leaked Microsoft Windows source code and he
used elements of that code when asked to write an FFmpeg patch, would that
patch be acceptable in your eyes?

We should forbid human written code?

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No human being will ever know the Truth, for even if they happen to say it
by chance, they would not even known they had done so. -- Xenophanes

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 163 bytes --]

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Kieran Kunhya via ffmpeg-devel]

On Thu, 13 Nov 2025, 03:07 Michael Niedermayer via ffmpeg-devel, <
ffmpeg-devel@ffmpeg.org> wrote:

> Hi Kieran
>
> On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel
> wrote:
> > On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, <
> > ffmpeg-devel@ffmpeg.org> wrote:
> >
> > > Hi Remi
> > >
> > > On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via
> > > ffmpeg-devel wrote:
> > > > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
> > > Thomas
> > > > Dullien via ffmpeg-devel a écrit :
> > > > > What's the best way to submit these patches? There is the bug
> tracker,
> > > > > there is this mailing list - what's the best way to contribute
> them?
> > > >
> > > > I don't think that DNN-generated patches are compatible with the
> LGPL in
> > > the
> > > > first place, or it is at best very uncertain that they are. So then
> you
> > > cannot
> > > > contribute DNN-generated patches in any useful way at all.
> > >
> > > If you have concrete legal analysis or case law that supports this
> claim,
> > > please share it.
> > >
> >
> > If an LLM was trained on the leaked Microsoft Windows source code and it
> > used elements of that code when asked to write an FFmpeg patch, would
> that
> > patch be acceptable in your eyes?
>
> If a human was trained on the leaked Microsoft Windows source code and he
> used elements of that code when asked to write an FFmpeg patch, would that
> patch be acceptable in your eyes?
>
> We should forbid human written code?
>

An AI is not a human.

AIs have been shown to regurgitate copyrighted material when asked to solve
a problem.

Kieran

>
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[compn via ffmpeg-devel]

On 2025-11-08 00:34, Thomas Dullien via ffmpeg-devel wrote:

> What's the best way to submit these patches? There is the bug tracker,
> there is this
> mailing list - what's the best way to contribute them?
> 
> Cheers,
> Thomas

the best way is whatever you prefer.
https://code.ffmpeg.org/FFmpeg is the new way.
the mailing list is also OK to post patches.

-compn
compn@ffmpeg.org
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Timo Rothenpieler via ffmpeg-devel]

On 13/11/2025 04:06, Michael Niedermayer via ffmpeg-devel wrote:
> Hi Kieran
> 
> On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel wrote:
>> On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, <
>> ffmpeg-devel@ffmpeg.org> wrote:
>>
>>> Hi Remi
>>>
>>> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via
>>> ffmpeg-devel wrote:
>>>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
>>> Thomas
>>>> Dullien via ffmpeg-devel a écrit :
>>>>> What's the best way to submit these patches? There is the bug tracker,
>>>>> there is this mailing list - what's the best way to contribute them?
>>>>
>>>> I don't think that DNN-generated patches are compatible with the LGPL in
>>> the
>>>> first place, or it is at best very uncertain that they are. So then you
>>> cannot
>>>> contribute DNN-generated patches in any useful way at all.
>>>
>>> If you have concrete legal analysis or case law that supports this claim,
>>> please share it.
>>>
>>
>> If an LLM was trained on the leaked Microsoft Windows source code and it
>> used elements of that code when asked to write an FFmpeg patch, would that
>> patch be acceptable in your eyes?
> 
> If a human was trained on the leaked Microsoft Windows source code and he
> used elements of that code when asked to write an FFmpeg patch, would that
> patch be acceptable in your eyes?
> 
> We should forbid human written code?

I mean, that is in fact generally how situations like that are handled.
At least I have seen it multiple times on Projects like the Dolphin 
Emulator that people who read the leaked Nintendo code were barred from 
ever contributing again once found out, cause it would give Nintendo 
legal ground to take down the project.
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Michael Niedermayer via ffmpeg-devel]

[-- Attachment #1.1: Type: text/plain, Size: 2139 bytes --]

Hi Kieran

On Thu, Nov 13, 2025 at 03:52:17AM +0000, Kieran Kunhya via ffmpeg-devel wrote:
> On Thu, 13 Nov 2025, 03:07 Michael Niedermayer via ffmpeg-devel, <
> ffmpeg-devel@ffmpeg.org> wrote:
> 
> > Hi Kieran
> >
> > On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel
> > wrote:
> > > On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, <
> > > ffmpeg-devel@ffmpeg.org> wrote:
> > >
> > > > Hi Remi
> > > >
> > > > On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via
> > > > ffmpeg-devel wrote:
> > > > > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
> > > > Thomas
> > > > > Dullien via ffmpeg-devel a écrit :
> > > > > > What's the best way to submit these patches? There is the bug
> > tracker,
> > > > > > there is this mailing list - what's the best way to contribute
> > them?
> > > > >
> > > > > I don't think that DNN-generated patches are compatible with the
> > LGPL in
> > > > the
> > > > > first place, or it is at best very uncertain that they are. So then
> > you
> > > > cannot
> > > > > contribute DNN-generated patches in any useful way at all.
> > > >
> > > > If you have concrete legal analysis or case law that supports this
> > claim,
> > > > please share it.
> > > >
> > >
> > > If an LLM was trained on the leaked Microsoft Windows source code and it
> > > used elements of that code when asked to write an FFmpeg patch, would
> > that
> > > patch be acceptable in your eyes?
> >
> > If a human was trained on the leaked Microsoft Windows source code and he
> > used elements of that code when asked to write an FFmpeg patch, would that
> > patch be acceptable in your eyes?
> >
> > We should forbid human written code?
> >
> 
> An AI is not a human.
> 
> AIs have been shown to regurgitate copyrighted material when asked to solve
> a problem.

Humans have done that as well, still we allow human contributions

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Some Animals are More Equal Than Others. - George Orwell's book Animal Farm

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 163 bytes --]

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[ff--- via ffmpeg-devel]

On 2025-11-13 06:50, Timo Rothenpieler via ffmpeg-devel wrote:
> On 13/11/2025 04:06, Michael Niedermayer via ffmpeg-devel wrote:
>> Hi Kieran
>> 
>> On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via 
>> ffmpeg-devel wrote:
>>> On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, <
>>> ffmpeg-devel@ffmpeg.org> wrote:
>>> 
>>>> Hi Remi
>>>> 
>>>> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via
>>>> ffmpeg-devel wrote:
>>>>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan 
>>>>> normaaliaika
>>>> Thomas
>>>>> Dullien via ffmpeg-devel a écrit :
>>>>>> What's the best way to submit these patches? There is the bug 
>>>>>> tracker,
>>>>>> there is this mailing list - what's the best way to contribute 
>>>>>> them?
>>>>> 
>>>>> I don't think that DNN-generated patches are compatible with the 
>>>>> LGPL in
>>>> the
>>>>> first place, or it is at best very uncertain that they are. So then 
>>>>> you
>>>> cannot
>>>>> contribute DNN-generated patches in any useful way at all.
>>>> 
>>>> If you have concrete legal analysis or case law that supports this 
>>>> claim,
>>>> please share it.
>>>> 
>>> 
>>> If an LLM was trained on the leaked Microsoft Windows source code and 
>>> it
>>> used elements of that code when asked to write an FFmpeg patch, would 
>>> that
>>> patch be acceptable in your eyes?
>> 
>> If a human was trained on the leaked Microsoft Windows source code and 
>> he
>> used elements of that code when asked to write an FFmpeg patch, would 
>> that
>> patch be acceptable in your eyes?
>> 
>> We should forbid human written code?
> 
> I mean, that is in fact generally how situations like that are handled.
> At least I have seen it multiple times on Projects like the Dolphin 
> Emulator that people who read the leaked Nintendo code were barred from 
> ever contributing again once found out, cause it would give Nintendo 
> legal ground to take down the project.

the small fixes to regular code in ffmpeg wont be fixed with 1000 lines 
of windows/nintendo source code so its a bit of a moot point.

-compn
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Tobias Rapp via ffmpeg-devel]

On 13/11/2025 15:50, Timo Rothenpieler via ffmpeg-devel wrote:

> On 13/11/2025 04:06, Michael Niedermayer via ffmpeg-devel wrote:
>> Hi Kieran
>>
>> On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via 
>> ffmpeg-devel wrote:
>>> On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, <
>>> ffmpeg-devel@ffmpeg.org> wrote:
>>>
>>>> Hi Remi
>>>>
>>>> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via
>>>> ffmpeg-devel wrote:
>>>>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
>>>> Thomas
>>>>> Dullien via ffmpeg-devel a écrit :
>>>>>> What's the best way to submit these patches? There is the bug 
>>>>>> tracker,
>>>>>> there is this mailing list - what's the best way to contribute them?
>>>>>
>>>>> I don't think that DNN-generated patches are compatible with the 
>>>>> LGPL in
>>>> the
>>>>> first place, or it is at best very uncertain that they are. So 
>>>>> then you
>>>> cannot
>>>>> contribute DNN-generated patches in any useful way at all.
>>>>
>>>> If you have concrete legal analysis or case law that supports this 
>>>> claim,
>>>> please share it.
>>>>
>>>
>>> If an LLM was trained on the leaked Microsoft Windows source code 
>>> and it
>>> used elements of that code when asked to write an FFmpeg patch, 
>>> would that
>>> patch be acceptable in your eyes?
>>
>> If a human was trained on the leaked Microsoft Windows source code 
>> and he
>> used elements of that code when asked to write an FFmpeg patch, would 
>> that
>> patch be acceptable in your eyes?
>>
>> We should forbid human written code?
>
> I mean, that is in fact generally how situations like that are handled.
> At least I have seen it multiple times on Projects like the Dolphin 
> Emulator that people who read the leaked Nintendo code were barred 
> from ever contributing again once found out, cause it would give 
> Nintendo legal ground to take down the project.

That seems a bit over-cautious, like banning all contributions where 
LLMs have been involved.

The discussion was started with the topic of security patches in mind, 
and I don't think that the typical 1-3 line patch for buffer overruns or 
pointer double free can be considered copyrightable material. This is 
different from implementing a new codec, or creating a new filter.

Regards, Tobias

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org